Can PCI DSS Compliance Be Achieved in a Cloud Environment?

Size: px
Start display at page:

Download "Can PCI DSS Compliance Be Achieved in a Cloud Environment?"

Transcription

1 royal holloway Can Compliance Be Achieved in a Cloud Environment? Organisations are considering whether to run -based systems in a cloud environment. The security controls in the cloud may be sufficient to achieve compliance, but doing so may not be cost effective or practical. By Patrick Durkin and Geraint Price

2 Can Compliance Be Achieved in a Cloud Environment? Today, cloud computing is being marketed as the solution to the majority of an organisation s IT needs. Combining this with the growth of e-commerce, it seems beneficial for organisations to use a cloud service s flexibility to meet its business requirements. However, before moving IT services to the cloud, an organisation must consider the contractual, legal, and regulatory obligations it has to the protection of data. The storing and processing of data may require compliance to laws and standards such as the Data Protection Act, government standards and PCI DSS. When the data is hosted within an organisation s own environment, or in a dedicated private hosting solution, system boundaries can be relatively easily defined. This is not the case when using shared resources such as a cloud service. How can an organisation be assured of where its data actually is? Who has access to the data, network traffic and system administration interfaces? How can unauthorised access be detected and how are data confidentiality and integrity services provided? Whilst these questions should be considered in any environment, the problems are compounded when using cloud services. This is due to the different levels of administration, resource separation and data destruction. Cloud is an abstract idea that has been accepted by the IT industry. Cloud computing has been adopted by many to describe various services provided, typically on an on-demand, pay-as-you-go basis by a service provider to a customer, and accessed via the Internet. It usually includes five essential characteristics: Can Compliance Be Achieved in a Cloud Environment? 2

3 Can Compliance Be Achieved in a Cloud Environment? On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service Cloud computing is offered to consumers under three service models, usually described as: software as a Service (SaaS) infrastructure as a Service (IaaS) Platform as a Service (PaaS) Cloud services may be: Public multi-tenanted, or Private dedicated to a single customer Combining cloud service models and hosting models is known as a hybrid cloud model. The use of the metering can facilitate the understanding of the true IT requirements of an organisation and its cost on a department by department basis. This is now marketed to an organisation as IT as a Service (ITaaS). Independent of cloud computing, moving from self-hosted IT services to outsourced IT services has been a business model for some time now. Two primary economic implications are: A shift of capital expenditure (Capex) to operational expenditure (Opex) The potential reduction in Opex when operating the IT services This shift from Capex to Opex can lower the financial barriers for the initiation of a new project. Cloud computing removes the investment commitment to dedicated hardware for customers and improves resource utilisation for service providers. The difference in economics between private and outsourced hosting models and the cloud model is due to better cost structures for cloud infrastructures. The primary reason is simply the economics of volume. Can Compliance Be Achieved in a Cloud Environment? 3

4 Can Compliance Be Achieved in a Cloud Environment? is the buying and selling of products or services via the Internet. Associated electronic payment methods have evolved from those within the physical commerce system and consequently have much in common with each other. Electronic money transfers are not new technology. Banks have been using electronic transfers since the 1960s and bank customers have been able to withdraw cash from ATMs since the 1970s. When using electronic payment systems, the transaction process requires communication between the user, merchant and card issuer. Since e-commerce commonly uses the internet as a communication channel, transaction communications must be protected from eavesdropping and manipulation to ensure the confidentiality and integrity of the transaction details. The payment card data will also be vulnerable if an attacker can access component parts of an e-commerce system. So communication between these parts must also be protected to ensure end-to-end confidentiality and integrity of the transaction details. Organised crime has realised the value of payment card details stored online. So the threat of unauthorised disclosure of payment card data via web and online services has now become a reality. The UK National Security Council has stated that attacks on computer networks and systems represent one of the biggest emerging threats to the UK. Cybercrime illegal activity using computer systems and networks has now been recognised by the courts for some time. This has enabled law enforcement authorities to act and deter such activities. The law applies to people, not technologies. Therefore, once the perpetrator is identified, a crime committed via the Internet can indeed lead to prosecution and imprisonment. The Payment Card Industry Data Security Standard () The was jointly created in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. In 2006, the PCI Security Standards Council (PCI SSC) was launched to provide the ongoing development, management, education and awareness of the security standard. The goal of is to encourage merchants and service providers to protect payment card data. The DSS affects any company or organisation that accepts, processes, transmits or stores payment card details. It comprises a minimum set of requirements intended to reduce the risk and Can Compliance Be Achieved in a Cloud Environment? 4

5 Can Compliance Be Achieved in a Cloud Environment? provide a holistic approach to the security of the Card Data Environment (CDE). Currently has no legal status and can only be enforced by contractual methods. The PCI Security Standards Council does not impose any consequences for non-compliance and there are no standardised penalties. However, payment card brands attempt to enforce compliance through differential processing fees, fines and other financial penalties. Virtualisation In 2011 the PCI Security Standards Council issued an information supplement: Guidelines. This provides guidance on the use of virtualisation technologies in a CDE. There are four simple principles associated with the use of virtualisation in CDEs: 1. If virtualisation technologies are used in a CDE, requirements apply to those virtualisation technologies. 2. Virtualisation technology introduces new risks that must be assessed. 3. Implementations of virtual technologies can vary greatly. 4. There is no one-size-fits-all method or solution to configure virtualised environments to meet requirements. Of these four principles, (3) and (4) are applicable to all implementations of CDEs. So we concentrate on the aspects of (1) and (2) which are specific to virtualisation. These principles can be combined into: Virtualisation technologies have to be risk-assessed and controls implemented to meet at least the requirements of. The PCI SSC Guidelines list 11 factors for consideration. A few examples of the factors are: Vulnerabilities in the physical environment apply in a virtual environment information leakage between virtual components more than one function per physical system maturity of monitoring solutions lack of separation of duties Can Compliance Be Achieved in a Cloud Environment? 5

6 Can Compliance Be Achieved in a Cloud Environment? Whilst not a definitive list, it provides a starting point for understanding the concerns of the PCI SSC regarding virtualisation technologies. The PCI SSC includes various recommendations for controls and best practices that should facilitate compliance. The recommendations include: evaluate risks associated with virtual technologies restrict physical access implement defence in depth isolate security functions enforce least privilege and separation of duties The PCI SSC Guidelines also include barriers to security that cloud computing introduces. A few examples of the barriers are: The distributed architecture of cloud environments adds layers of technology and complexity to the environment. Public cloud environments are designed to be public Internet facing. The infrastructure can be dynamic and boundaries between tenant environments may be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. Although all the factors, recommendations and barriers included in the Guidelines are valid, there are repetitions that could be consolidated. Table 1 summarises the PCI SSC s areas of concern and places them into categories that encompass the individual factors, recommendations and barriers. As the risk assessment shown in Table 1 should be included as part of an Integrated Safety Management System (ISMS), all of the concerns behind the headings listed in table 1 could be consolidated into the four groups: architecture and security controls Physical security and audit ISMS and governance The considerations for the two groups of physical security and ISMS and governance would be the same for virtualised and non-virtualised envi- Can Compliance Be Achieved in a Cloud Environment? 6

7 Can Compliance Be Achieved in a Cloud Environment? table 1. Categorising of the Factors and Recommendations of the PCI SSC virtualization guidelines The 11 factors can be categorised into four groups: The general recommendations which are virtualisation specific can be categorised into three groups: The recommendation for mixed mode environments can be categorised as: The recommendations for cloud computing environments can be categorised into three groups: proposed categories architecture and security controls Physical security and audit Information Security Management System and governance architecture and security controls and audit Risk assessment architecture and security controls architecture and security controls and audit Risk assessment ronments hosting a CDE. Whilst monitoring and audit also apply to both environments there are additional considerations for virtualised environments due to the shared hosting environment. architecture and security controls would only apply to virtualised environments. So, for a virtualised environment to comply with the, it is the two groups of the hypervisor architecture and security controls, and the monitoring and audit capabilities which must provide sufficient controls to meet the PCI DSS requirements. We will look at these two categories next. There are two types of hypervisors. A type I hypervisor is installed directly onto the hardware and is known as a bare metal hypervisor. A type II hypervisor is installed over an operating system which provides the interface to the hardware. Type I hypervisors have significant advantages over type II, namely: No performance degradation from running through a host operating system No threat of associated vulnerabilities in the hosting operating system Can Compliance Be Achieved in a Cloud Environment? 7

8 Can Compliance Be Achieved in a Cloud Environment? Simpler design with only the running of VMs to consider Let us consider the VMware ESXi as a case study to illustrate the security controls available within hypervisor technologies. ESXi is a type I hypervisor. From a security perspective, it has three major components: The virtualisation layer Virtual machines The virtual networking layer The virtualisation layer is designed to run virtual machines (VMs). The VMkernel acts as a bridge between the hardware resources and the VMs. Isolation between the VMkernel and VMs is possible by utilising the security capabilities presented by CPU hardware, paging and ring architectures. The physical memory of the host system is used by all VMs. It is imperative that sufficient controls are in place to prevent attacks on the cardholder data being stored in memory. In a virtualised system, the guest operating system maintains page tables just as the operating system in a native system does. In addition, the VM monitor (VMM) maintains an additional layer of mapping. This is the mapping of VM physical page numbers to host hypervisor physical page numbers. Because of the extra level of memory mapping introduced by virtualisation, the VMkernel can effectively manage memory presented across all VMs. ESXi also utilises Intel XD and AMD NX support to mark writeable areas of memory as non-executable. The virtual network security architecture is controlled by the VMkernel. Just as the VMkernel prevents VM s from directly communicating, it also provides network isolation. The VMkernel also provides the bridge between the hardware resources and the vswitch, which is a component that manages the virtual network connecting together various VMs and the outside world. A virtual switch, by design, cannot leak packets directly to another virtual switch. The only way for packets to travel from one virtual switch to another is under the following circumstances: Labo. Ur, ommodiorum quis verero tenempostet fugiand igent, quaecusam iumet apelit et reperoresto quidelit et re iundae quiaestiat es nonsecae labo. Iliquia Can Compliance Be Achieved in a Cloud Environment? 8

9 Can Compliance Be Achieved in a Cloud Environment? The virtual switches are connected to the same physical LAN. The virtual switches connect to a common VM, which could be used to transmit packets. To verify that no common virtual switch paths exist, it is possible to check for shared points of contact by reviewing the network switch layout in the vsphere Client. Most hypervisors will support logging to a syslog server and Simple Network Management Protocol (SNMP) traps. In addition to syslog and SNMP services, ESXi provides an additional interface for third party agents that use the following protocols: Common Information Model Extensible Mark-up Language (CIM XML) Web Services for Management (WSMAN) These management services provide the interfaces to obtain the required monitoring and audit information. So it seems that the basic concerns of the PCI SSC regarding virtualisation can be addressed within ESXi, providing ESXi itself can be trusted. The Common Criteria provide an internationally recognised model for the evaluation of products. The highest level usually attained by commercial products is known as EAL4. ESXi has passed evaluation at the EAL 4+ level of assurance. So some trust can be placed in ESXi. Further trust of the hosting virtualisation system can be achieved by the use of Trusted Platform Module (TPM) technology to protect the VMkernel from tampering and corruption. Trust implies that an entity will always behave in the expected manner for its intended purpose. This means that if a known entity is operating and the properties of the entity are known, the party relying on that entity can make an informed decision whether to trust the entity. The role of the trusted platform is always to work in the same way and to report the status of the platform accurately. The Trusted Group (TCG) provides the specifications for the Trusted Platform Module (TPM). The TPM is a computer chip that can securely store authentication data (such as passwords, certificates, and encryption keys) and Platform measurements (that help ensure that the platform remains trustworthy). The TPM can be used with Intel Trusted Can Compliance Be Achieved in a Cloud Environment? 9

10 Can Compliance Be Achieved in a Cloud Environment? execution Technology (TXT) to provide an accurate comparison of all the critical elements of a system s launch environment against a known good source. TXT creates a cryptographically unique identifier for each approved launch-enabled component of ESXi. This is stored within the TPM. TXT then uses hardware-based enforcement mechanisms to block the launch of any code that does not match the approved code. Thus, systems hosting the CDE can offer a greater level of protection when using TPM and TXT technologies to provide attestation of the integrity of the VMkernel and the VMs. With a correctly configured host system and CDE it should therefore be possible to achieve compliance in a cloud environment. This would be further facilitated if the service provider offered the cloud service only to applications and systems that were also configured to a level of security with at least the equivalent of that required by the PCI SSC. However, whilst it might be possible to achieve compliance in a cloud-hosted environment, in most cases it seems to be impractical and not cost effective. The reasons include, but are not limited, to: The additional controls and applications would require expert security knowledge and support The extra key management and logging networks will also require bandwidth and additional processing power for the encryption services protecting the network traffic The problems with agreeing about liability and the cost of proving the party at fault in the case of unauthorised disclosure There are further concerns that are not limited to payment card data, but to any data that requires protection whilst hosted in the cloud. Among these are: Departments and overzealous staff may become frustrated with internal IT services and independently move data or applications to a cloud service A thorough investigation and risk analysis of a cloud service would need to be performed to understand: The cloud service environment The security controls of the hosting platform Can Compliance Be Achieved in a Cloud Environment? 10

11 Can Compliance Be Achieved in a Cloud Environment? The scope of any audits or certifications (such as ISO or SAS70) The reliability of the company and staff The integrity of audit logs is still not guaranteed In conclusion, if an organisation were considering cloud services to host a compliant e-commerce solution, a hybrid system seems best. Specifically, this hybrid system would use cloud services for the web services but a dedicated service for payment processing which is, for example: Privately hosted by the merchant, or Hosted by a third party, or Provided by a payment service such as PayPal. n About the authors: Patrick Durkin has worked within the information security industry for the past 15 years. He specialises in information security consultancy and the delivery of security enterprise architecture solutions. After completing his MSc at Royal Holloway in 2011, he joined the HP ESS Security and Cyber Practice. Geraint Price is a lecturer in information security at Royal Holloway. His research interests include secure protocols, public key infrastructures, denial of service attacks and resilient security. Can Compliance Be Achieved in a Cloud Environment? 11

Can PCI DSS compliance be achieved in a cloud environment?

Can PCI DSS compliance be achieved in a cloud environment? Can PCI DSS compliance be achieved in a cloud environment? Durkin, Patrick Student number:100647746 Supervisor: Geraint Price Submitted as part of the requirements for the award of the MSc in Information

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

PCI DSS and the A10 Solution

PCI DSS and the A10 Solution White Paper A10 Thunder Series PCI DSS and the A10 Solution For cloud service providers, A10 s Thunder Series & AX Series appliances and SoftAX are the first step towards PCI compliance, allowing you to

More information

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Cloud Computing: The atmospheric jeopardy Unique Approach Unique Solutions Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Background Cloud computing has its place in company computing strategies,

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

PCI DSS and the A10 Solution

PCI DSS and the A10 Solution WHITE PAPER PCI DSS and the A10 Solution How Cloud Service Providers Can Achieve PCI Compliance with A10 Thunder ADC and vthunder Table of Contents The Challenge of PCI Compliance... 3 Overview of PCI

More information

PCI Compliance in a Virtualized World

PCI Compliance in a Virtualized World PCI Compliance in a Virtualized World Security Technology Infrastructure Security Integration 24x7 Support MSS Training Information Assurance Staff Augmentation Presenters John Clark QSA, PMP, CISA, CISSP

More information

Platform as a Service and PCI www.engineyard.com

Platform as a Service and PCI www.engineyard.com Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it

More information

Control your corner of the cloud.

Control your corner of the cloud. Chapter 1 of 5 Control your corner of the cloud. From the halls of government to the high-rise towers of the corporate world, forward-looking organizations are recognizing the potential of cloud computing

More information

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011 Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines

More information

Delivering actionable service knowledge

Delivering actionable service knowledge Delivering actionable service knowledge Converged Infrastructure Monitoring and Management (CIM 2 ) Delivering actionable service knowledge Converged Infrastructure Monitoring & Management (CIM 2 ) from

More information

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC mdavis@securestate.com SecureState Founded in 2001, Based on Cleveland Specialized

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Virtualization, SDN and NFV

Virtualization, SDN and NFV Virtualization, SDN and NFV HOW DO THEY FIT TOGETHER? Traditional networks lack the flexibility to keep pace with dynamic computing and storage needs of today s data centers. In order to implement changes,

More information

An article on PCI Compliance for the Not-For-Profit Sector

An article on PCI Compliance for the Not-For-Profit Sector Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3 VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

PROTECTING DATA IN MULTI-TENANT CLOUDS

PROTECTING DATA IN MULTI-TENANT CLOUDS 1 Introduction Today's business environment requires organizations of all types to reduce costs and create flexible business processes to compete effectively in an ever-changing marketplace. The pace of

More information

How a Cloud Service Provider Can Offer Adequate Security to its Customers

How a Cloud Service Provider Can Offer Adequate Security to its Customers royal holloway s, How a Cloud Service Provider Can Offer Adequate Security to its Customers What security assurances can cloud service providers give their customers? This article examines whether current

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015. Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines

More information

Index. BIOS rootkit, 119 Broad network access, 107

Index. BIOS rootkit, 119 Broad network access, 107 Index A Administrative components, 81, 83 Anti-malware, 125 ANY policy, 47 Asset tag, 114 Asymmetric encryption, 24 Attestation commercial market, 85 facts, 79 Intel TXT conceptual architecture, 85 models,

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Virtual Computing and VMWare. Module 4

Virtual Computing and VMWare. Module 4 Virtual Computing and VMWare Module 4 Virtual Computing Cyber Defense program depends on virtual computing We will use it for hands-on learning Cyber defense competition will be hosted on a virtual computing

More information

Intel Cloud Builders Guide: Cloud Design and Deployment on Intel Platforms

Intel Cloud Builders Guide: Cloud Design and Deployment on Intel Platforms Intel Cloud Builders Guide Intel Xeon Processor 5600 Series Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services Parallels, Inc. Intel Cloud Builders Guide: Cloud Design and

More information

Mitigating Information Security Risks of Virtualization Technologies

Mitigating Information Security Risks of Virtualization Technologies Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved Agenda Virtualization Overview Key Components of Secure Virtualization

More information

managing the risks of virtualization

managing the risks of virtualization managing the risks of virtualization Chris Wraight CA Technologies 28 February 2011 Session Number 8951 abstract Virtualization opens the door to a world of opportunities and well managed virtualization

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

Conquering PCI DSS Compliance

Conquering PCI DSS Compliance Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,

More information

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project

More information

Securing the Physical, Virtual, Cloud Continuum

Securing the Physical, Virtual, Cloud Continuum Securing the Physical, Virtual, Cloud Continuum By Ted Ritter, CISSP Senior Research Analyst Executive Summary The data center is undergoing a radical shift, from virtualization towards internal cloud

More information

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts.

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts. Tufts University Department of Computer Science COMP 116 Introduction to Computer Security Fall 2014 Final Project Investigating Security Issues in Cloud Computing Guocui Gao Guocui.gao@tufts.edu Mentor:

More information

Enabling Technologies for Distributed Computing

Enabling Technologies for Distributed Computing Enabling Technologies for Distributed Computing Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF Multi-core CPUs and Multithreading Technologies

More information

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents

More information

Security and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto

Security and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto Security and Privacy in Public Clouds David Lie Department of Electrical and Computer Engineering University of Toronto 1 Cloud Computing Cloud computing can (and is) applied to almost everything today.

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

SECURITY IN OPERATING SYSTEM VIRTUALISATION

SECURITY IN OPERATING SYSTEM VIRTUALISATION SECURITY IN OPERATING SYSTEM VIRTUALISATION February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in

More information

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud? East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management

More information

VMware vcloud Service Definition for a Public Cloud. Version 1.6

VMware vcloud Service Definition for a Public Cloud. Version 1.6 Service Definition for a Public Cloud Version 1.6 Technical WHITE PAPER 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

Lecture 02a Cloud Computing I

Lecture 02a Cloud Computing I Mobile Cloud Computing Lecture 02a Cloud Computing I 吳 秀 陽 Shiow-yang Wu What is Cloud Computing? Computing with cloud? Mobile Cloud Computing Cloud Computing I 2 Note 1 What is Cloud Computing? Walking

More information

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen feisal@techumen.com SECURING HEALTH INFORMATION IN THE CLOUD Feisal Nanji, Executive Director, Techumen feisal@techumen.com Conflict of Interest Disclosure Feisal Nanji, MPP, CISSP Has no real or apparent conflicts of interest

More information

CYBER SECURITY Audit, Test & Compliance

CYBER SECURITY Audit, Test & Compliance www.thalescyberassurance.com CYBER SECURITY Audit, Test & Compliance 02 The Threat 03 About Thales 03 Our Approach 04 Cyber Consulting 05 Vulnerability Assessment 06 Penetration Testing 07 Holistic Audit

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Cloud computing: benefits, risks and recommendations for information security

Cloud computing: benefits, risks and recommendations for information security Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation

More information

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Module 1: Facilitated e-learning

Module 1: Facilitated e-learning Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1

More information

Security and Cloud Computing

Security and Cloud Computing Security and Cloud Computing Martin Borrett, Lead Security Architect NE Europe, WW Service Management Tiger Team IBM Software Optimising the World s Infrastructure 27th May - London Agenda Brief Introduction

More information

Cloud Security: The Grand Challenge

Cloud Security: The Grand Challenge Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation

Cloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways

More information

Effective End-to-End Cloud Security

Effective End-to-End Cloud Security Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of

More information

Overcoming Security Challenges to Virtualize Internet-facing Applications

Overcoming Security Challenges to Virtualize Internet-facing Applications Intel IT IT Best Practices Cloud Security and Secure ization November 2011 Overcoming Security Challenges to ize Internet-facing Applications Executive Overview To enable virtualization of Internet-facing

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT

More information

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Security in the Cloud: Visibility & Control of your Cloud Service Providers Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,

More information

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation White Paper Securing Multi-Tenancy and Cloud Computing Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation Copyright 2012, Juniper Networks,

More information

Enabling Technologies for Distributed and Cloud Computing

Enabling Technologies for Distributed and Cloud Computing Enabling Technologies for Distributed and Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Multi-core CPUs and Multithreading

More information

CloudControl Support for PCI DSS 3.0

CloudControl Support for PCI DSS 3.0 HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization

More information

Trusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation

Trusted Geolocation in the Cloud. Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation Trusted Geolocation in the Cloud Based on NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation 2 Agenda Definition of cloud computing Trusted Geolocation in

More information

Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

Managing the Real Cost of On-Demand Enterprise Cloud Services with Chargeback Models

Managing the Real Cost of On-Demand Enterprise Cloud Services with Chargeback Models Managing the Real Cost of On-Demand Enterprise Cloud Services with Chargeback Models A Guide to Cloud Computing Costs, Server Costs, Pricing Plans, and Chargeback Implementation and Systems Introduction

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet IBM PowerSC Security and compliance solution designed to protect virtualised data centres Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

Security & Cloud Services IAN KAYNE

Security & Cloud Services IAN KAYNE Security & Cloud Services IAN KAYNE CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE CloudComponents

More information

Trusted Geolocation in The Cloud Technical Demonstration

Trusted Geolocation in The Cloud Technical Demonstration Trusted Geolocation in The Cloud Technical Demonstration NIST Interagency Report 7904 - Trusted Geolocation in the Cloud: Proof of Concept Implementation Trusted Geolocation in the Cloud Business Business

More information

Making Data Security The Foundation Of Your Virtualization Infrastructure

Making Data Security The Foundation Of Your Virtualization Infrastructure Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges

More information

Building Blocks Towards a Trustworthy NFV Infrastructure

Building Blocks Towards a Trustworthy NFV Infrastructure Building Blocks Towards a Trustworthy NFV Infrastructure IRTF NFVRG Adrian L. Shaw Hewlett-Packard Laboratories / July 22 nd, 2015 1 Why security and trust? Big requirement for critical

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

ANALYSIS OF RISKS AND SKEPTICISM OF ORGANIZATIONAL CLOUD COMPUTING

ANALYSIS OF RISKS AND SKEPTICISM OF ORGANIZATIONAL CLOUD COMPUTING ANALYSIS OF RISKS AND SKEPTICISM OF ORGANIZATIONAL CLOUD COMPUTING Richmond Ikechukwu Ibe (Ph.D.) Assistant Professor of business Management, Jarvis Christian College, Howkins, TX United States of America

More information

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or

More information

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future.

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future. Web Filtering Email Filtering Mail Archiving Cloud Backup Disaster Recovery Virtual Machines Private Cloud itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your

More information

Connecting to the Cloud

Connecting to the Cloud Connecting to the Cloud Six Degrees Group www.6dg.co.uk Managed Cloud Hosting Companies all over the world are intrigued by the possibility of cloud services but they have profound concerns about the privacy,

More information

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««; Security N Environments '' J J H -. i ^ s j}! Dave Shackleford '**»* t i j i««; l:i in: John Wiley &. Sons, Inc. Contents Introduction.. : xix Chapter l Fundamentals of Virtualization Security Virtualization

More information

Cloud Service Providers Overcoming security and compliance barriers

Cloud Service Providers Overcoming security and compliance barriers Cloud Service Providers Overcoming security and compliance barriers Dr Theodoros Stergiou, CEng, CPMM Security Solutions Product Manager & Cloud Security Officer Agenda A brief introduction Security barriers

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

Virtualization and Cloud Computing

Virtualization and Cloud Computing Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing

More information